August 21st, 2008

Websense reports China Netcom DNS cache poisoning

Posted by Ryan Naraine @ 12:43 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Data theft, Exploit code, Firefox, Flash, Google, Malware, Patch Watch, Responsible disclosure

Tags: China Netcom, DNS, DNS Server, Internet Service Provider, Websense Inc., Internet Service Providers (ISPs), Domain Names, Servers, Internet, Hardware

The DNS server of one of China’s largest ISPs has been poisoned to redirect typos to a malicious site rigged with drive-by exploits.

According to a warning from Websense Security Labs, the DNS poisoning attacks are affecting customers of China Netcom (CNC) and are using a malicious iFrame to launch exploits for known vulnerabilities in RealNetworks’ RealPlayer,  Adobe Flash Player and Microsoft Snapshot Viewer.

• When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker.

Websense provided screenshots of an nslookup of a potential mistyped URL. The first shows an unaffected name server, while the second shows the poisoned name server:

Unaffected name server:

Poisoned DNS server:

A user querying an unaffected DNS server is taken through to a clean site but if the target queries a poisoned name server, the browser is redirected to the attacker’s site with the malicious iFrame code: